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DETAILED ACTION 



1 . The Information Disclosure Statements filed on 4/1 2/2004 and 4/22/2005 have 
been considered by the examiner. 

2. Claims 1-27 are pending in the application. 

3. Below, Examiner has pointed out particular references contained in the prior 
art(s) of record in the body of this action for the convenience of the applicant. Although 
the specified citations are representative of the teachings in the art and are applied to 
the specific limitations within the individual claims, other passages and figures may 
apply as well. Applicant should consider the entire prior art as applicable as to the 
limitations of the claims. It is respectfully requested from the applicant, in preparing the 
response, to consider fully each reference in its entirety as potentially teaching all or 
part of the claimed invention, as well as the context of the passage as taught by the 
prior arts or disclosed by the examiner. 

Claim Rejections - 35 USC § 101 

1. 35 U.S.C. 101 reads as follows: 



Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 
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2. Claims 1-26 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter, as they do not fall under any of the statutory 
classes of inventions. The language in the specification (p. 3- line 28, p. 4- lines 1 -2) 
and claims raise an issue because the claims are directed merely to an abstract idea 
that is not tied to an article of manufacture which would result in a practical application 
producing a useful, concrete, and tangible result to form the basis of statutory subject 
matter under 35 U.S.C. 101. 

■ Considering Claims 1, 6, 14, could reasonably be drawn to functional 
descriptive material, per se, i.e., "program" may be taken to mean 
software alone, and as such, the methods of claims 1,6, 14, and 24, 
would be directed to non-statutory subject matter. 

■ Considering Claims 20 and 24, could reasonably be drawn to functional 
descriptive material, per se, i.e., "program" may be taken to mean 
software alone, and as such, the apparatus of claim 20 and the computer 
readable medium (CRM) of claim 24, would be directed to non-statutory 
subject matter. The specification states that "When implemented in 
software, these modules can reside on any (CRM) computer-readable 
medium or media such as a hard disk, floppy disk, optical disk, etc." (p. 3- 
line 28, p. 4- lines 1-2). The modules, when implemented in software 
residing on a CRM are non-statutory until they are executed and produce 
a useful, concrete, and tangible result. 
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Claim Rejections - 35 USC §112 

1 . The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

2. Claims 5-13 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

■ Considering Claims 5 and 6, by applicants' definition, "code having a 
decryption loop and a body," is malicious code (p. 3- lines 17-22). 
Therefore, it is unclear how to determine if these items contain malicious 
code as claimed. 

Claim Rejections ■ 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

2. Claims rejected under 35 U.S.C. 102(b) as being anticipated by Yamamoto (US 
5,881,151), hereafter "Yamamoto". 
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3. Considering Claims 1 and 24, Yamamoto discloses a method for determining 
whether computer code contains malicious code (abstract), said method 
comprising the steps of: optimizing the computer code to produce optimized code 
(column 4- lines 51-55, column 5- lines 26-38, Fig. 3- item 38); and subjecting the 
optimized code to a malicious code detection protocol (column 6- lines 1-4 and 
38-50, Fig. 5, Fig. 10). 

4. Considering Claims 2 and 25, Yamamoto discloses the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, 
emulation, check summing, heuristics, tracing, X-raying, and algorithmic 
scanning (column 7- lines 51-56, column 8- lines 7-20, Fig. 10). 

5. . Considering Claims 3 and 26, Yamamoto discloses the optimizing step 

comprises performing at least one technique from the group of techniques 
consisting of constant folding, copy propagation, non-obvious dead code 
elimination, code motion, peephole optimization, abstract interpretation, 
instruction specialization, and control flow graph reduction (column 5- lines 32- . 
38) 



6. 



Considering Claim 4, Yamamoto discloses at least two of said techniques are 
combined synergistically (column 5- lines 26-38). 
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Claim Rejections - 35 USC §103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 5-13 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Yamamoto in view of Nachenberg (US 5,826,013), hereafter "Nachenberg". 

3. Considering Claim 5, Yamamoto discloses optimizing code prior to performing 
virus detection (Fig. 3). 

Yamamoto is silent on the computer code is polymorphic code comprising a 
decryption loop and a body; and the optimizing step comprises optimizing just the 
decryption loop. 

Nachenberg discloses the computer code is polymorphic code (column 1- lines 
14-17) comprising a decryption loop and a body (column 1- lines 25-33); and the 
optimizing step comprises optimizing just the decryption loop (column 6- lines 54- 
67, column 7- lines 1-8, Fig. 2- item 200). 
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Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Yamamoto to 
optimize just the decryption loop as taught by Nachenberg in order to 
substantially reduce the number of file instructions that must be emulated in 
order to determine whether a target file is infected by a virus (Nachenberg- 
column 6- lines 56-59). 

4. Considering Claim 6, Yamamoto discloses optimizing code prior to performing 
virus detection (Fig. 3). 

Yamamoto is silent on optimizing the decryption loop to produce optimized loop 
code; performing a malicious code detection procedure on the optimized loop 
code; optimizing the body to produce optimized body code; and subjecting the 
optimized body code to a malicious code detection protocol. 

Nachenberg discloses optimizing the decryption loop to produce optimized loop 
code (column 6- lines 54-67, column 7- lines 1-8, Fig. 2- item 200); performing a 
malicious code detection procedure on the optimized loop code (column 6- lines 
54-67, column 7- lines 1-8, Fig. 2- item 200); optimizing the body to produce 
optimized body code (column 6- lines 54-67, column 7- lines 1-8, Fig. 2- item 
200); and subjecting the optimized body code to a malicious code detection 
protocol (column 8- lines 18-37). 
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Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Yamamoto to 
optimize just the decryption loop as taught by Nachenberg in order to 
substantially reduce the number of file instructions that must be emulated in 
order to determine whether a target file is infected by a virus (Nachenberg- 
column 6- lines 56-59). 

5. Considering Claims 7 and 8, the combination of Yamamoto and Nachenberg 
discloses the malicious code detection protocol is a protocol from the group of 
protocols consisting of pattern matching, emulation, check summing, heuristics, 
tracing, X-raying, and algorithmic scanning (Yamamoto- column 7- lines 51-56, 
column 8- lines 7-20, Fig. 10). 

6. Considering Claim 9, the combination of Yamamoto and Nachenberg discloses 
the step of optimizing the body comprises using at least one output from the 
group of steps consisting of optimizing the decryption loop and performing a 
malicious code detection procedure on the optimized loop code (Yamamoto- Fig. 
3- item 38, Nachenberg- column 6- lines 63-65, column 7- lines 64-67, column 8- 
lines 1-4). 



Application/Control Number: 10/763,673 Page 9 

Art Unit: 2135 

7. Considering Claim 10, the combination of Yamamoto and Nachenberg discloses 
when the step of performing a malicious code detection procedure on the 
optimized loop code indicates the presence of malicious code in the computer 
code, the steps of optimizing the body and subjecting the optimized body code to 
a malicious code detection protocol are aborted (Nachenberg- column 11- lines 
2-7). 

8. Considering Claims 11 and 12, the combination of Yamamoto and Nachenberg 
discloses after the step of performing a malicious code detection procedure on 
the optimized loop code, revealing an encrypted body (Nachenberg- column 9- 
lines 33-38). 

9. Considering Claim 13, the combination of Yamamoto and Nachenberg discloses 
the step of revealing an encrypted body comprises applying a key gleaned from 
the optimized loop code (Nachenberg- column 5- lines 52-58, column 9- lines 33- 
38). 

10. Claims 14-18 and 20-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Yamamoto in view of Chan et al. (US 5,734,908), hereafter "Chan". 

1 1 . Considering Claim 14, Yamamoto discloses a method for optimizing computer 
code that is suspected of containing malicious code (abstract). 
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Yamamoto does not explicitly disclose performing a forward pass operation; 
performing a backward pass operation; performing a control flow graph 
reduction; arid iterating the above three steps a plurality of times. 

Chan does disclose performing a forward pass operation (column 10- lines 34-47 
and 56-67, Fig. 5- item 510); performing a backward pass operation (column 6- 
lines 14-33 and 43-57, Fig. 4A); performing a control flow graph reduction 
(column 6- lines 1-6); and iterating the above three steps a plurality of times 
(column 6- lines 14-33, column 7- lines 17-25, Fig. 4A, Fig. 5). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Yamamoto by 
performing a forward pass operation; performing a backward pass operation; 
performing a control flow graph reduction; and iterating the above three steps a 
plurality of times as taught by Chan in order to more fully utilize the resources of 
the target machine, thereby enhancing system performance. In particular, the 
GID unit 116 distributes (moves) instructions from one basic block to other basic 
blocks (in either the forward or backward direction). The GID unit 116 performs 
this instruction distribution/movement optimization when it is profitable to do so 
from an execution viewpoint (that is, when such instruction movement would 
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result in faster executing and tighter resource-utilized object code 118) (Chan- 
column 3- lines 10-20). 



12. Considering Claim 15, the combination of Yamamoto and Chan discloses the 
iteration of the three steps stops after either: a pre-selected number of iterations; 
or observing that no optimizations of the computer code were performed in the 
most recent iteration (Chan- column 7- lines 36-45, column 11- lines 38-41, Fig. 
4A, Fig. 5). 

1 3. Considering Claim 16, the combination of Yamamoto and Chan discloses the 
step of performing a code motion procedure, wherein the four steps are iterated a 
plurality of times (Chan- column 6- lines 14-34). 

14. Considering Claim 17, the combination of Yamamoto and Chan discloses the 
forward pass operation comprises at least one of the following steps: peephole 
optimization; constant folding; copy propagation; forward computations related to 
abstract interpretation; and instruction specialization (Chan- column 10- lines 34- 
47, Fig. 5- item 510). 



15. 



Considering Claim 18, the combination of Yamamoto and Chan discloses the 
backward pass operation comprises at least one of the steps of backward 
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computations related to abstract interpretation and local dead code elimination 
(Yamamoto- column 5- lines 26-38). 

16. Considering Claim 20, Yamamoto discloses an apparatus for countering 
malicious computer code (abstract). 

Yamamoto does not explicitly disclose a peephole optimizer; coupled to the 
peephole optimizer, a state tracking module; and coupled to the peephole 
optimizer and to the state-tracking module, an instruction specialization module. 

Chan does explicitly disclose a peephole optimizer (column 10- lines 34-47, Fig. 
5- item 510); coupled to the peephole optimizer, a state tracking module (column 
11- lines 34-37, Fig. 5- item 513); and coupled to the peephole optimizer and to 
the state-tracking module, an instruction specialization module (column 12- lines 
60-67, column 13- lines 1-20, Fig. 1- item 152), 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Yamamoto by a 
peephole optimizer, a state tracking module, and an instruction specialization 
module as taught by Chan in order to more fully utilize the resources of the target 
machine, thereby enhancing system performance. In particular, the GID unit 116 
distributes (moves) instructions from one basic block to other basic blocks (in 
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either the forward or backward direction). The GID unit 116 performs this 
instruction distribution/movement optimization when it is profitable to do so from 
an execution viewpoint (that is, when such instruction movement would result in 
faster executing and tighter resource-utilized object code 118) (Chan- column 3- 
lines 10-20). 

17. Considering Claim 21, the combination of Yamamoto and Chan discloses a 
virtual state memory module coupled to the state-tracking module (Chan- column 
11- lines 34-37, Fig. 5- item 513). 

1 8. Considering Claim 22, the combination of Yamamoto and Chan discloses a 
driver module coupled to the instruction specialization module and to the state- 
tracking module (Chan- column 3- lines 46-53, Fig. 1- item 116). 

19. Considering Claim 23, the combination of Yamamoto and Chan discloses the 
peephole optimizer comprises an instruction-reordering module (Chan- column 
10- lines 56-67). 

20. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Yamamoto and Chan in view of Lovett et al. (US 2004/0221279), hereafter "Lovett". 
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21 . Considering Claim 19, the combination of Yamamoto and Chan does not 
explicitly disclose the backward pass operation comprises the additional step of 
global dead code elimination. 

Lovett does explicitly disclose the backward pass operation comprises the 
additional step of global dead code elimination ([0091]- line 6, [0104]). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the combination of Yamamoto and 
Chan by adding the additional step of global dead code elimination as taught by 
Lovett in order to transform the IR (intermediate representation) to remove dead 
regions and thereby reduce the amount of work that must be performed by the 
target code (Lovett- [01 04] lines 8-1 0). 

22. Claim 27 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Yamamoto in view of Lovett. 

23. Considering Claim 27, Yamamoto discloses a method for determining whether 
computer code contains malicious code (abstract), said method comprising the 
steps of: performing a dead code elimination procedure on the computer code 
(column 5- lines 26-38, Fig. 3); declaring a suspicion of malicious code in the 
computer code (column 6- lines 31-37, Fig. 10- S5). 
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Yamamoto does not explicitly disclose noting the amount of dead code 
eliminated during the dead code elimination procedure and when the amount of 
dead code eliminated during the dead code elimination procedure exceeds a pre- 
selected dead code threshold. 

Lovett discloses performing a dead code elimination procedure on the computer 
code ([0104], Fig. 6- item 75); noting the amount of dead code eliminated during 
the dead code elimination procedure ([0107]); and when the amount of dead 
code eliminated during the dead code elimination procedure exceeds a pre- 
selected dead code threshold ([0133], [0144], [0091] lines 1-2, [0098] lines 9-27). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Yamamoto by noting 
the amount of dead code eliminated during optimization and declaring a 
suspicion of malicious code when that amount exceeds a certain threshold in 
order to prevent the further spread of the virus infection. By outputting the 
message of the interruption of the process due to the virus infection on the 
operator console together with the program name or the program number of the 
object program at the time of interrupting the process, virus infection of a specific 
program or OS can be notified (Lovett- column 7- lines 43-50). 
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Conclusion 

1 . The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

■ US 2002/01 31404 - Optimizing suspected malicious code. 

■ US 5,765,030- Detecting polymorphic virus. 

■ US 5,485,575 - "Degarbling head". 

■ US 6,782,487 - Detection of mutating viruses. 

■ US 2003/0135791 - Decryption loop and body in polymorphic virus. 

■ US 2004/0221280 - Partial dead code elimination optimization. 

■ US 2003/0221 121 - Static Single Assignment (SSA). 

■ US 2005/0204348 - Protecting code by obfuscation through optimization 
techniques. 

■ US 5,812,854 - Components of a compiler. 

■ US 5,797,01 3 - Loop unrolling. 

■ US 5,790,867 - Multi-Pass compiler with extended redundant copy 
elimination. 

■ US 2004/0255279 - Logs amount of dead code and reacts to reaching 
trigger threshold. 

■ US 5,659,752 - Outputs compiler information to a log file. 

■ US 2003/0149969 - Eliminating dead code based on a list. 
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2. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Randal D. Moran whose telephone number is 571-270- 
1255. The examiner can normally be reached on M-F: 7:00 - 4:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Randal D. Moran 
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